Scammers are honing in on the shipping industry, using “whaling,” a.k.a. business email compromise (BEC) attacks, to scoop up credentials, or worse, compromise critical systems.
Hackers are launching whaling attacks to target various types of employees with some serious online (and sometimes telephone-based) social-engineering research under their belts, Pen Test Partners researchers said in a Tuesday post.
Whaling is nothing new, but it continues to grow – and attacks against the shipping industry, known for its lax security measures, are proving to be rampant. In fact, the FBI says that BEC scams in 2018 resulted in losses of more than $12.5 billion – a more-than-double jump from the losses accrued in 2017, which harbored a $5 billion scam.
In many cases, scammers are using social engineering to imitate higher-level executives — based on data collected via social media and other tools — to trick unsuspecting victims into performing various activities, including opening malware-riddled attachments or transferring payments to suspicious accounts.
“[The motive] is likely to predominantly be stealing money, but could easily be gaining access; a number of large-scale attacks have resulted in this,” Tony Gee, security consultant Pen Test Partners told Threatpost. “Companies are getting better at securing their perimeter – but worse at training their staff to spot attacks.”
Social Engineering
Scammers start by collecting an array of publicly-available information on targets. That can include data from social-media pages, like personal facts (birthday, location, etc.) on Facebook and business information (title, coworkers, business organizational structure – even how the business interacts with suppliers) on LinkedIn.
For instance, if someone posted a picture of themselves at a recent conference, a scammer could swoop in and say in an email that they’d met at that conference.
In a common attacking scenario, “An email arrives to your accounts payable department, stating that the supplier’s bank details have changed,” said Ken Munro, a researcher with Pen Test Partners. “The logo is correct, the name of the individual making the request is one you recognize. Bank details are changed for the next payment run to the supplier. Except [it] was a scam and the money has now disappeared.”
In another common situation, the bad actor poses as the CEO or another high-ranking executive using what they have discovered about the victim online. The scammer waits until the executive posts that they are going on a vacation or will be on a long flight, and then sends an email to someone in the finance team from that high-level exec, asking them to make an urgent payment and stating that someone’s job is on the line if the payment is not made. Attempts to validate the request fail because the CEO is on a long flight – so the finance employee is intimidated into making the payment.
“Spotting these attacks can be hard, since they often use different data points to build a convincing picture,” Gee told Threatpost. “Commonly on high-value attacks, the emails will be prefaced with a phone call to the victim to ‘set them up.’ in a large organization if the CEO rings you personally you will act, especially as it is unlikely the victim will know exactly how the CEO sounds as they may never have met them or spoken to them before
Sending malware to a victim via email attachments is another effective way that the shipping industry has been compromised.
“Emails are constructed and often made to appear as if they are being sent internally,” said Munro. “One easy method is for the scammer to create a similar looking email address, often exploiting subtle differences between letters such as a ‘1’, ‘l’, ‘I’ to fool the reader in to thinking it’s a legitimate email.”
Shipping Industry Targeted
A report published last year found that the global shipping industry is vulnerable to a range of hacks, including one that can send multi-million dollar vessels on a literal collision course by manipulating navigation systems. Worse, the Pen Test Partners report found that the flaws are trivial to execute and easy to mitigate against.
Researchers in April also identified a hacking group behind several widescale BEC attacks gouging the maritime shipping industry millions of dollars since 2017. Attackers in the campaign took advantage of the industry’s lax security and the use of outdated computers.
Training executives is “critical” to helping prevent these attacks, especially those in target areas such as finance, said Gee.
It’s important to “remember [BEC] targets are not going to be in most cases management-level, they will be subordinates,” said Gee. “This is how the scam works so well. No one challenges the boss. Teach staff to always validate by speaking directly to bosses themselves, or at least to the PA. Bosses need to make themselves approachable so that staff don’t need to worry about knocking on their door to validate. It is important to always have layers of approval in place before money is sent, these should not be able to be bypassed, irrespective of time pressure or who is asking.”